Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

CHANGELOG

@@ -272,6 +272,8 @@
 - show errors of none activated extensions and do not allow to activate it,
   if there are errors (e.g. missing php extensions)
 - move Approve/ReviewDocument in a controller
+- setting password by user can be disabled
+- groups from ldap can be synced with seeddms groups
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.31

doc/README.Ldap

@@ -2,14 +2,14 @@ Ldap configuration
 ===================
 
 The configuration for authentication against an ldap server needs to be done
-the settings.xml file using a text editor. It cannot be edited from within the
+in the `settings.xml` file using a text editor. It cannot be edited from within the
 web gui.
 
 SeedDMS supports ldap authentication using an Active Directory (AD) or a
 regular ldap server, e.g. openldap
 
-The location of the ldap server is specified in two parameters: 'host' and
-'port'.  'host' can be either a plain hostname or an ldap URI, including the
+The location of the ldap server is specified in two parameters: `host` and
+`port`.  `host` can be either a plain hostname or an ldap URI, including the
 protocol, the host and optionally the port, e.g. ldap://localhost:389. In case
 of an URI the port in the configuration must remain empty.
 
@@ -31,8 +31,8 @@ If the second bind succeeds the user could be successfully authenticated.
 The data from the ldap server can be used to create an account in SeedDMS
 if the user trying to login does not exist yet, but was able to authenticate.
 This will only be done if 'authentication->restricted' in the configuration
-is set to true. In that case the common name (cn) and email address is taken
-from ldap. Existing accounts in SeedDMS will not be updated with data from
+is set to false. In that case the common name (cn) and email address is taken
+from ldap. An already existing account in SeedDMS will be updated with data from
 ldap.
 
 Examples

inc/inc.ClassLdapAuthentication.php

@@ -153,7 +153,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			 * address.
 			 */
 			if ($bind) {
-				if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) {
+				if (!empty($settings->_ldapFilter)) {
 					$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
 				} else {
 					$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
@@ -168,18 +168,25 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 
 			/* If the previous bind failed, try it with the users creditionals
 			 * by simply setting $dn to a guessed dn (see above)
-			 * FIXME: This is probably a bad idea because users filtered out
+			 * Don't do this if a filter is set because users filtered out
 			 * may still be able to authenticate, because $tmpDN could be a
-			 * valid DN. Example: if baseDN is 'dc=seeddms,dc=org' and the
+			 * valid DN which do not match the filter criteria.
+			 * Example: if baseDN is 'dc=seeddms,dc=org' and the
 			 * user 'test' logs in, then $tmpDN will be 'uid=test,dc=seeddms,dc=org'
 			 * If that user was filtered out, because filter was set to '(mail=*)'
 			 * and the user doesn't have a mail address, then $dn will not be
 			 * set and $tmpDN will be used instead, allowing a successfull bind.
 			 */
-			if (is_bool($dn)) {
+			if (is_bool($dn) && empty($settings->_ldapFilter)) {
 				$dn = $tmpDN;
 			}
 
+			/* Without a dn don't even try to bind. It won't work anyway */
+			if(!$dn) {
+				ldap_close($ds);
+				return null;
+			}
+
 			/* Check if user already exists in the database. Return with an error
 			 * only if the sql statements fails, but not if no user was found.
 			 */
@@ -193,7 +200,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			$bind = @ldap_bind($ds, $dn, $password);
 			if (!$bind) {
 				ldap_close($ds);
-				return false;
+				return null;
 			}
 
 			// Successfully authenticated. Now check to see if the user exists within